So, who are the bad guys in this drama, what do they want with us, and how are they going about doing it? A number of major companies now publish data about the various threats, including Verizon, Kaspersky Labs, McAfee, FireEye and others. The FBI publishes a 10 Most Wanted list for cybercriminals, and most people agree on the categories and characteristics of various threat types, but beyond that it is hard to come by exact numbers.
What we do know more about is how attacks happen and who the targets are. Kaspersky claims that in 2014 their network detected and neutralized over 6 billion threats and 1.5 billion attacks launched from almost 9 million distinct computer hosts and using more than 120 million discrete malicious objects. One reason attacks have become so pervasive is that perpetrators use automated techniques to vary code, making it harder for anti-virus software to use signatures alone for detection. Verizon says that 70% – 90% of malware samples are unique to a single organization as a result of these “polymorphic” techniques.McAfee says that almost 80% of network attacks involve one of three categories: denial of service, brute force (attacks to guess passwords generally), and browser-based attacks. According to the Verizon 2015 Data Breach Investigations Report, the percentage of external attacks has remained relatively constant over the past 5 years at about 85% of all attacks, meaning that internal attacks account for about 15%. Phishing and RAM scrapers (used in the Target and other Point-of-Sale attacks) are the fastest growing types of attacks over that period, with spyware and keyloggers declining significantly. Cyren reports that in 2014 they saw:
- 159% increase in malware URLs
- 233% increase in phishing URLs
- 50% increase in average daily number of emails containing malware – from 1.69 to 2.5 billion
- 30% decline in the average daily amount of spam from 78.2 billion to 54.6 billion
which is consistent with most other reports that phishing is one of the biggest problems we face. In fact the Verizon report indicates that more than 2/3 of cyber-espionage attacks include phishing, a number that jumps to 95% of attacks attributed to State-sponsored actors. The report says that 23% of recipients now open phishing messages and 11% click on attachments, half within the first hour that a phishing e-mail is received, and some within the first couple minutes. It takes a phishing campaign of only 10 e-mails to give the perpetrator a better than 90% chance of finding a victim.
The data on insider misuse of information is also disheartening. In a survey conducted by Symantec and the Ponemon Institute in 2009, over half of ex-employees admitted to stealing company data. While not all insider “attacks” are malicious (many are honest mistakes, or cases where employees become unwitting accomplices), the threat of data leakage has become a major issue.
On the positive side, the anticipated threat to mobile devices seems to be less than some had feared. The Verizon report says that only 0.03% were infected with malicious exploits (as opposed to annoying adware), a “negligible” number unless you are one of the 20-30,000 devices infected per month. And almost all of those were for Android devices (96%), with much of the suspicious activity for iOS devices actually representing failed attacks targeted at Android.
Finally, the types of attack vary widely by industry sector, with this chart from the Verizon report showing some interesting patterns (in the hotel industry, 91% are point of sale attacks, while for manufacturing it is 94% as either crimeware or cyberespionage).
So what can you take away from all this data? People responsible for these cyber-threats are clever and adaptive to changing defenses. But, some threats have been reduced and others are not as prevalent as we feared might be the case. People are still the weakest link, both as a threat and as an attack vector. Good cyber hygiene remains your best bet. Do the easy stuff: be aware, don’t click on suspicious links, use strong passwords and change them regularly, keep your systems updated. The technology is getting better as long as you don’t do things to undermine its effectiveness.